ps/output.c: Harden forest_helper().

This patch solves several problems:

1/ Limit the number of characters written (to outbuf) to OUTBUF_SIZE-1
(-1 for the null-terminator).

2/ Always null-terminate outbuf at q.

3/ Move the "rightward" checks *before* the strcpy() calls.

4/ Avoid an integer overflow in these checks (e.g., rightward-4).
This commit is contained in:
Qualys Security Advisory - committed by Craig Small
parent 62f19dc5df
commit d31f5eb545

View File

@ -339,11 +339,13 @@ STIME stime hms or md time format
static int forest_helper(char *restrict const outbuf){
char *p = forest_prefix;
char *q = outbuf;
int rightward=max_rightward;
int rightward = max_rightward < OUTBUF_SIZE ? max_rightward : OUTBUF_SIZE-1;
*q = '\0';
if(!*p) return 0;
/* Arrrgh! somebody defined unix as 1 */
if(forest_type == 'u') goto unixy;
while(*p){
if (rightward < 4) break;
switch(*p){
case ' ': strcpy(q, " "); break;
case 'L': strcpy(q, " \\_ "); break;
@ -351,10 +353,6 @@ static int forest_helper(char *restrict const outbuf){
case '|': strcpy(q, " | "); break;
case '\0': return q-outbuf; /* redundant & not used */
}
if (rightward-4 < 0) {
*(q+rightward)='\0';
return max_rightward;
}
q += 4;
rightward -= 4;
p++;
@ -362,6 +360,7 @@ static int forest_helper(char *restrict const outbuf){
return q-outbuf; /* gcc likes this here */
unixy:
while(*p){
if (rightward < 2) break;
switch(*p){
case ' ': strcpy(q, " "); break;
case 'L': strcpy(q, " "); break;
@ -369,10 +368,6 @@ unixy:
case '|': strcpy(q, " "); break;
case '\0': return q-outbuf; /* redundant & not used */
}
if (rightward-2 < 0) {
*(q+rightward)='\0';
return max_rightward;
}
q += 2;
rightward -= 2;
p++;